From f5ff12216df1fabee5db99e3d2c1b92ae15afcb4 Mon Sep 17 00:00:00 2001 From: Michael Vogt Date: Tue, 12 Mar 2024 13:06:30 +0100 Subject: [PATCH] install: manually label {/etc/fstab,tmpfile.d/bootc-root-ssh.conf} Right now bootc supports an experimental install from a non-selinux host when using the `BOOTC_SKIP_SELINUX_HOST_CHECK=1` option. This is nice and works relatively well. However files written during the install like /etc/fstab or the tmpfiles.dfile in /etc/tmpfile.d/bootc-root-ssh.conf must be labeled too. This commit adds a (rather crude) manual way to do this. Closes https://github.com/containers/bootc/issues/362 Signed-off-by: Michael Vogt --- lib/src/install.rs | 5 ++++- lib/src/install/osconfig.rs | 17 +++++++++++++++-- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/lib/src/install.rs b/lib/src/install.rs index 060444340..547608fae 100644 --- a/lib/src/install.rs +++ b/lib/src/install.rs @@ -644,8 +644,11 @@ async fn initialize_ostree_root_from_self( } f.flush()?; + let fstab_path = Utf8PathBuf::try_from(root.canonicalize("etc/fstab")?)?; + state.lsm_label(&fstab_path, "/etc/fstab".into(), false)?; + if let Some(contents) = state.root_ssh_authorized_keys.as_deref() { - osconfig::inject_root_ssh_authorized_keys(&root, contents)?; + osconfig::inject_root_ssh_authorized_keys(&root, &state, contents)?; } let uname = rustix::system::uname(); diff --git a/lib/src/install/osconfig.rs b/lib/src/install/osconfig.rs index 6bddc6400..97785da71 100644 --- a/lib/src/install/osconfig.rs +++ b/lib/src/install/osconfig.rs @@ -1,5 +1,5 @@ use anyhow::Result; -use camino::Utf8Path; +use camino::{Utf8Path, Utf8PathBuf}; use cap_std::fs::Dir; use cap_std_ext::{cap_std, dirext::CapStdExtDirExt}; use fn_error_context::context; @@ -8,7 +8,11 @@ const ETC_TMPFILES: &str = "etc/tmpfiles.d"; const ROOT_SSH_TMPFILE: &str = "bootc-root-ssh.conf"; #[context("Injecting root authorized_keys")] -pub(crate) fn inject_root_ssh_authorized_keys(root: &Dir, contents: &str) -> Result<()> { +pub(crate) fn inject_root_ssh_authorized_keys( + root: &Dir, + state: &crate::install::State, + contents: &str, +) -> Result<()> { // While not documented right now, this one looks like it does not newline wrap let b64_encoded = ostree_ext::glib::base64_encode(contents.as_bytes()); // See the example in https://systemd.io/CREDENTIALS/ @@ -18,6 +22,15 @@ pub(crate) fn inject_root_ssh_authorized_keys(root: &Dir, contents: &str) -> Res root.create_dir_all(tmpfiles_dir)?; let target = tmpfiles_dir.join(ROOT_SSH_TMPFILE); root.atomic_write(&target, &tmpfiles_content)?; + + let as_path = Utf8Path::new(ETC_TMPFILES).join(ROOT_SSH_TMPFILE); + let as_root_dir_path = root.canonicalize(&as_path)?; + state.lsm_label( + &Utf8PathBuf::try_from(as_root_dir_path)?, + &Utf8PathBuf::from("/").join(as_path), + false, + )?; + println!("Injected: {target}"); Ok(()) }